Category Archives: News

Are Fingerprints Less Safe Than Passcodes?

Locking your phone with a fingerprint is more secure than using a password, right?   Maybe from a hacker, not from the law.  In a Virginia Circuit Court opinion handed down on October 28, 2014, Judge Steven C. Fucci ruled that fingerprints are not included in the Fifth Amendment’s protection against self-incrimination, and as such, the government may compel a criminal defendant to give up his fingerprint in order to unlock a cell phone.

According to news outlets, Judge Fucci reasoned that giving police a fingerprint is akin to providing DNA, a handwriting sample, or an actual key, which the law in Virginia permits. In contrast, if the police were seeking a password or passcode to unlock a phone, it would be prohibited by the Fifth Amendment because it would require the criminal defendant to divulge his personal knowledge.

This ruling comes in the case of David Baust, an individual accused of domestic violence. Police obtained a search warrant for Baust’ phone, believing it contained a recording of an attack. Baust refused to unlock the phone saying that the police could access embarrassing items on the phone unrelated to the case. Interestedly, the phone has been shut off while in police custody and may require a password in addition to a fingerprint to be unlock. If so, prosecutors would have to tackle the issue of passwords and the Fifth Amendment in the appellate court.

While this ruling has garnered national attention, it remains to be seen whether the rest of the state and courts in other jurisdictions will follow suit. Regardless, it’s another example of the interesting intersection between law and technology.

PERHAPS IT’S TIME TO GET RID OF THAT BROWSEWRAP AGREEMENT

On August 18, 2014 the 9th Circuit Court of Appeals affirmed a district court’s holding that Kevin Khoa Nguyen could not be compelled into arbitration with Barnes & Nobel for a claim arising out of Mr. Nguyen’s online purchase of a HP Touchpad that Barnes & Nobel later cancelled.

Barnes & Nobel argued that by accessing their website, Mr. Nguyen consented to the site’s Terms of Use (“TOU”), which provided: “By visiting any area in the Barnes & Nobel.com Site, creating an account, [or] making a purchase via the Barnes & Nobel.com Site… a User is deemed to have accepted the Terms of Use.” The compulsory arbitration language was contained in the TOU as well.

While the 9th Circuit’s analysis focused on the applicability of the arbitration provision, their holding calls into question the validity of browsewrap agreements in general.

A website’s Terms of Use is a contract between the website owner and the website visitors. In order for any contract to be legally binding, it is required that the parties to the contract manifest their assent to be governed by the terms of the contract. See Register.com, Inc. v. Verio, Inc., 356 F.3d 393, 403 (2d Cir. 2004) (“While new commerce on the Internet has exposed courts to many new situations, it has not fundamentally changed the principles of contract”). In keeping with the tradition that assent may be expressed in writing, orally, or by conduct, many website owners and online service providers use “clickwrap” or “browsewrap” agreements to bind their online consumers. Users consent to clickwrap agreements by some form of affirmative express consent, typically clicking on an “I Agree” box, before accessing the website or online service. On the other hand, a browsewrap agreement does not block a user from accessing the website or online service and the agreement is accessible to the user via a hyperlink, which is typically located on the bottom of the website. Since browsewrap agreements lack the user’s explicit assent (no “I Agree” box), the enforceability of the browsewrap agreement hinged on whether the user had actual or constructive knowledge of the website’s TOU. Until this opinion, constructive knowledge was generally inferred where notice of the TOU was conspicuously displayed and placed on the website.

In Nguyen v. Barnes & Nobel, the 9th Circuit found that Mr. Nguyen did not have actual or constructive knowledge of Barnes & Nobel’s browsewrap TOU. They held that since there was no evidence Mr. Nguyen read the TOU or that he even clicked on the TOU hyperlink, he did not assent to the TOU and therefore cannot be bound by the TOU’s terms. This is despite the fact Barnes & Nobel had placed hyperlinks to its TOU on every page of their website and in the online checkout process, and such links were underlined and off-set in green typeface. Without more, the court held that this did not surmount to constructive notice of the TOU.

What’s more? The court provided examples from caselaw where the courts found users had assented to browsewrap agreements:

  • com, Inc. v. Verio, Inc.: Defendant admitted that it was fully aware of the terms on which plaintiff offered access to its online service and defendant repeatedly accessed plaintiff’s service;
  • Airlines Co. v. Boardfirst, LLC: Defendant continued its breach after being notified of the terms in a cease and desist letter;
  • Ticketmaster Corp. v. Tickets.com, Inc.: Defendant continued to breach the TOU after receiving a letter from plaintiff quoting the browsewrap contract terms.
  • Zaltz v. JDATE : The court enforced the forum selection clause of the browsewrap agreement where prospective members had to check a box next to the statement “I confirm that I have read and agreed to the Terms and Conditions of Service.”
  • Fteja v Facebook, Inc.: The court enforced the forum selection clause in a browsewrap TOS where notice below the “Sign Up” button stated “By clicking Sign Up, you are indicating that you have read and agree to the Terms of Service” where “Terms of Service” was a hyperlink and there was evidence the plaintiff had clicked “Sign Up.”
  • Cairo, Inc. v. Crossmedia Servs, Inc, No. 04-04825, 2005 WL 756610 (N.D. Cal. Apr. 1, 2005): The court enforced the forum selection clause in website’s TOU where every page on the website had a textual notice that read: “By continuing past this page and/or using this site, you agree to abide by the TOU for this site, which prohibit commercial use of any information on this site”).
    • Compare the decision in Cairo with Pollstar v. Gigmania where the court refused to enforce a browsewrap agreement where textual notice appeared in a small gray print against a gray background.

Interestingly, the 9th Circuit affirmed the district court’s second holding that Mr. Nguyen was not prevented from denying the applicability of the arbitration clause even though he took advantage of the TOU’s choice of law provision when bringing this lawsuit. The court distinguished this case from previous cases which applied the doctrine of direct benefit estoppel because Mr. Nguyen was not a third party beneficiary to the TOU, but a primary party to the TOU; and the choice of law provision was not a benefit intended to benefit Mr. Nguyen specifically.

Although browsewrap agreements were not technically invalided per se by the court, this opinion and the court’s recommendations on the extra steps make browsewrap agreements the much less attractive option.

Square raising additional funds – $6 Billion valuation to compete with Apple Pay

Square just closed a $150 Million Series E round of fundraising (that would be after A, B, C, D…).   The valuation has fallen in  relation to  it’s payment processing rate (they are expected to process roughly $30 billion in transactions this year, they did $20 billion last year with a valuation of $5 Billion in 2013, in 2011, they processed $1.46 billion in transactions and had a valuation of $1.6 billion), and still lost $100M in 2013.

It is unknown whether Square needs the funds to pay it’s bills, acquire additional companies, or other internal ops priorities.

There is a lot of buzz in the payment space, especially with the anticipation that Apple Pay will make NFC payments more widely available and and accepted payment form.  This is also making the space more crowded.  Intuit, Paypal and others are all competing for this space.

 

Proposed Changes to Section 230 of the Communications Decency Act

One of the most important federal laws for websites is Section 230 of the Communications Decency Act of 1996. Section 230 provides immunity to providers and users of an “interactive computer service” by stating that “no provider or user of an interactive computer service shall be treated as a publisher or speaker of any information provided by another information content provider.” The relevance for the tech community is that a company cannot be held liable for causes of actions based on the content generated by its users. This immunity applies even if the website ignores take-down notices and exercises editorial control over the user-generated content.

Without Section 230, websites would have to either eliminate user-generated content (which includes everything from profile customization, comment sections, messaging services, blogging, search engines, etc.) or implement costly monitoring programs and filtering tools. Even with such measures, it would be impossible to appreciably diminish a website’s potential liability.

Websites should take note that Section 230 immunity is not absolute. There are four statutory exceptions. First, Section 230 cannot impair the enforcement of any federal criminal statute, including certain federal laws related to obscenity, harassment, or sexual exploitation of minors. Second, Section 230 does not limit or expand any law pertaining to intellectual property (websites may be eligible for safe harbor protection from copyright infringement under the DMCA). Third, Section 230 cannot be used to prevent any state from enforcing one of its laws that is consistent with this Section 230, however states cannot bring a cause of action that is inconsistent with Section 230. Lastly, Section 230 has no impact on the Electronic Communications Privacy Act of 1986 or any similar law.

In a July 23, 2013 letter to Congress 47 state attorney generals and 2 attorney generals from The Virgin Islands and Guam requested an amendment to Section 230 to allow for an additional statutory exception– state criminal laws. In the letter, the AGs describe the states’ inability to prosecute websites who they assert “have constructed their business models around income gained from participants in the sex trade.”

There has been support for the amendment because for the most part, states have been unable to convince the courts to break Section 230 immunity for websites that feature revenge porn or advertise (even unwittingly) prostitution services. See e.g. Barnes v. Yahoo!, 570 F.3d 1096 (9th Cir. 2009) (held that Section 230 immunity applied to the claim that Yahoo! acted negligently by not removing nude image of plaintiff posted by an ex-boyfriend but Section 230 did not apply to the promissory estoppel claim); see also Dart v. Craigslist, Inc., 665 F.Supp 2d 961 (N.D. Ill. 2009) (applied Section 230 immunity to sheriff’s allegation that Craig’s List adult section was a public nuisance).

Overall, the tech community has come out strongly against the proposed amendment because it completely undermines the intent of Section 230. Instead of developing new products and services, websites would spend their time and resources on filtering and monitoring user generated content in a vain attempt to guard against the countless number of state criminal laws – not just the ones that combat revenge porn and prostitution. Even then, monitoring programs and filtering tools are not 100% fail-proof and one unlawful comment could be enough to send a startup back to square one. Also, even if the content was adjudicated to not be unlawful, the time and expense to defend against the lawsuit could be just as harmful. This grim future assumes that websites would even consider allowing user generated content.

One proposal that has been put forth is to leave Section 230 as is and put forth new federal and state legislation to specifically address the conduct of websites which allow and arguably turn a blind eye to the sex trade. There has been some effort in this direction.

For example, New Jersey’s invasion of privacy law prohibits the dissemination of sexual recordings or pictures without the consent of the person depicted in the recording and/or picture. New Jersey also criminalizes “advertising commercial sexual abuse of a minor,” which a person commits if he “knowingly publishes, disseminates, or displays, or causes directly or indirectly, to be published, disseminated, or displayed, any advertisement for a commercial sex act, which is to take place in this State and which includes the depiction of a minor” or “knowingly purchases advertising in this State for a commercial sex act which includes the depiction of a minor.”

Another example is in the state of California which makes revenge porn a misdemeanor with jail times up to six months and $1,000 fine. However, shortcoming of the law have greatly limited its application as the law only applies to individuals who took the photo and distributed it. The law’s author, state Sen. Anthony Cannella, (R. Ceres), explains that he excluded self-taken photos due to a concern that it could increase the overcrowded prison population. Sen. Cannella does assert that he plans to extend the law to cover “selfies” when the state legislature returns in January 2014 but believes that The Communications Decency Act should be amended to remove protections for revenge porn websites.

To further complicate matters, websites should also consider that while the European Union does have laws that provide immunity for websites that host content, the courts’ rulings that delineate between hosting content and creating creation is inconsistent.

In 1998, a German court convicted and a year later acquitted a CompuServe executive for the publication and distribution of images of violence, child pornography, and bestiality as well as providing access to video games which were considered “morally harmful to youth” under German law. The CompuServe executive was acquitted under Germany’s Section 5(3) of the Information and Communications Services Act, which provides “an Internet Service Provider who provides access to material without being able to influence its content should not be responsible for that content.”

In 2010, an Italian court convicted and two years later acquitted three senior Google executives for defamation and data protection violations based on a video uploaded on a Google-controlled website by a student that depicted an autistic child being bullied. The Google executives were sentenced to six-month suspended jail sentences, despite the fact that Google eventually removed the video after receiving warnings from advocacy groups.

Lastly, just a few weeks ago the European Court of Human Rights rejected the application of Internet news portal website, Delfi, who was found by the Estonian Supreme Court to have violated the “personality rights” of an individual who was the subject of the website’s users’ defamatory online comments. Despite operating one of the largest news websites in Estonia, with hundreds of articles posted daily and tens of thousands comments appended to the articles, the Estonian Supreme Court upheld the lower court’s finding that Delfi “had not been required to exercise preliminary control over comments posted on its news portal. However, having chosen not to do so, it should have created some other effective systems which would have ensured rapid removal of unlawful comments from the portal.” The Estonian lower court’s finding that “the measures taken by [Delfi] were insufficient and that it was contrary to the principle of good faith to place the burden of monitoring the comments on their potential victims” were also upheld.

At the time this post was written, Congress has yet to respond to the AGs’ letter.
In the meantime this firm will be on the lookout for updates.

Updated: Data Security Breach Notification Requirements in the United States, European Union and Canada

Overview

​An entity that compiles, maintains, or leases computerized records containing personal information is subject to the data security breach notification laws. These notification laws serve to instruct entities that have suffered a breach in their data security on what kinds of personal information are protected under the law, what events are considered improper disclosures that trigger the notification duty, and the prescribed methods of notification. This post will provide a brief overview of relevant U.S. federal laws, U.S. state laws, as well as the US-EU Safe Harbor Program and Canada’s Personal Information Protection and Electronic Documents Act.

United States Federal Law

​Financial institutions that are significantly engaged in offering financial products and services are covered by the Gramm-Leach-Bliley Act, referred to herein as the GLB Act. The term “financial institution” is defined broadly by the statute and includes banks, mortgage lenders and in certain circumstances may also include check-cashing businesses, payday lenders, non-bank lenders, personal property and real estate appraisers, professional tax preparers and courier services. The GLB Act supercedes any state law that is inconsistent with the provisions of the GLB Act, unless the relevant state law affords any consumer greater protection than the GLB Act. Therefore, it is advisable that businesses seek the counsel of an attorney familiar with both federal and state provisions.
​Under the GLB Act, a financial institution is required to implement and share its privacy policy with consumers who obtain financial products or services primarily for personal, family or household expenses. The privacy policy is initially shared once a customer relationship is established, and then every 12-months during that customer relationship. Among other things, the privacy policy must describe the conditions under which the financial institution may disclose personal information about consumers to nonaffiliated third-parties and explain the “opt out” procedure for consumers to prevent the financial institution from disclosing his/her personal information to most non-affiliated third parties. Under the GLB Act, there are several exceptions that permit the disclosure of certain nonpublic personal information to non-affiliated third parties. For example, disclosure is permitted to a non-affiliated third party if such third-party performs services on behalf of the financial institution and the disclosed information is necessary to effect, administer, or enforce a transaction that the consumer requested or authorized. Because understanding what is “necessary” under the law may be a difficult standard to meet, businesses should consult with their legal counsel before disclosing information.
​The GLB Act also sets forth the minimum security standards financial institutions must have to protect the confidentiality of its consumer’s information. The GLB Act’s Security Rule has broader reach than the Act’s privacy provisions, applying to all financial institutions subject to the jurisdiction of the Federal Trade Commission, regardless of whether the consumer information was derived from financial services obtained for a personal or business purpose or whether the financial institution’s possession of the consumer information was obtained from a customer relationship. Specifically, the Security Rule requires financial institutions to implement administrative, technical and physical safeguards based on that financial institution’s risk of foreseeable threats. The financial institution’s foreseeable risk is based on a variety of factors, including employee training and management, the condition and integrity of the information systems utilized and methods of detecting, preventing and responding to attacks, intrusions or other system failures. The customized security plan for a financial institution requires periodic evaluation and adjustment.
​For companies in the health care field, the Health Insurance Portability and Accountability Act, commonly referred to as HIPAA, provides a set of notification requirements as well as security standards for health plan providers, health care clearinghouses, health care providers and certain other covered entities. HIPAA was enacted in part to prevent the disclosure of “individually identifiable health information,” also referred to as “protected health information” or simply “PHI.” According to HIPAA, PHI is information that relates to the individual’s past, present, or future physical or mental health or condition; the provision of health care to the individual; or the past, present, or future payment for the provision of health care to the individual; and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual. There are no restrictions on the use or disclosure of de-identified health information, which can be accomplished by the safe-harbor method or through the use of qualified statistician.
​As part of HIPAA’s own Privacy Rule, covered entities must develop and provide notice to patients of its privacy practices. Notice must be given by covered entities who have a direct treatment relationship to their patients no later than the first service encounter, or in an emergency treatment situation, as soon as practicable thereafter. The covered entities’ privacy policy must also be available upon request and on any website maintained for customer service. The Privacy Rule strictly limits the circumstances in which PHI may be used or disclosed by covered entities with or without a patient’s authorization. Generally, a covered entity is permitted to use or disclose PHI without the patient’s consent at the request of law enforcement, for public health, to avert a serious threat to health or safety, and other specified instances. However, clearance by legal counsel is advisable as these exceptions are not permissible in all circumstances.
​Similar to the regulation of financial entities under the GLB Act, HIPPA also includes a Security Rule that provides that covered entities must protect against reasonably anticipated threats to the security or integrity of PHI and against any reasonably anticipated uses or disclosures not permitted under its Privacy Rule. Further, and notably, covered entities must also have a policy in place that ensures third-parties that possess PHI on the covered entities’ behalf will comply with the same privacy and security standards. Similar to the financial institutions under the GLB Act, covered entities may select what security measures to implement, as long as such measures are reasonable and appropriate to HIPAA standards. The security standards include both required policies (for example, a covered entity must have a sanction policy for workforce members who fail to comply with the security policies and procedures of the covered entity ) and addressable policies which covered entities can evaluate for appropriateness and reasonableness for their company (for example, setting up procedures for monitoring workforce log-in attempts and reporting discrepancies ). Covered entities must appropriately take into consideration its size, its technical infrastructure, the cost of security measures, and probability and criticality of potential risk.
​Third-parties that are in possession of PHI on the covered entities’ behalf are termed “business associates.” Business associates are individuals or organizations, which are not part of the covered entity’s workforce, that create, receive, maintain, or transmit PHI on the covered entity’s behalf. Covered entities are obliged to enter into written agreements with business associates that impose specified written safeguards on the PHI used or disclosed by the business associates.
​The Health Information Technology for Economic and Clinical Health Act (HITECH) extended the breadth of many of HIPAA’s privacy and security measures for health care entities. For example, if there is a breach or suspected breach of PHI, covered entities are required to notify the affected individuals, the Secretary of the Dept. of Health and Human Services and if the breach involves 500 or more individuals within a state or jurisdiction, the state’s prominent media outlets. HITECH also extended the standards of HIPAA’s Privacy Rule and Security Rule to covered entities’ business associates as well as the imposition of civil and criminal penalties.
​The Federal Trade Commission (“FTC”) also imposes the “Health Breach Notification Rule, which applies to certain foreign and domestic businesses who have access or use the PHI of U.S. citizens and residents. The Health Breach Notification Rule applies irrespective of whether the entity is subject to the jurisdiction of the FTC and excludes HIPAA-covered entities.
​What constitutes a breach of PHI under the FTC’s Health Breach Notification Rule, the method of notification, as well as the content of the notice is similar to the provisions of HIPAA. Just like HIPAA, the Health Breach Notification Rules under the FTC requires covered vendors to notify each consumer whose unsecured personal health record was acquired by unauthorized persons as a result of a breach of security. Breached entities must also notify the FTC of the breach. Methods of notice include individual mailed notices and email if the consumer consented to such notice, and in situations of urgency, notice to prominent media outlets in a particular State if the personal health records of 500 or more residents of such State were involved in a suspected or actual breach of security. Further, third-party service providers must notify their vendor in cases of breach or suspected breach. The notice must be sent without reasonable delay and in no case later than 60 calendar days after the breach is known or should have been known.
​The last prominent federal law regarding consumer data breach is Section 5 of the Federal Trade Commission Act (the “FTC Act”). Any private company that indicates in its privacy policy that they will notify individuals whose personal information may have been accessed without authorization, and the company fails to provide such notification, such failure may be an unfair and deceptive trade practice prohibited under the FTC Act.
​As evident from the above synopsis, there is no singular comprehensive federal law governing data security breaches. To further complicate matters, in addition to the federal statutes, almost all states have their own unique set of breach notification laws. Attempts have been made in Congress to pass bills designed to provide greater uniformity among the states’ respective data notification laws, as of the date of this post, some of these attempts include:

Bill Number, Title, and Person Who Proposed It
Status, as of August 21, 2013
H.R. 749, Eliminate Privacy Notice Confusion Act (Rep. Luetkemeyer)
This bill passed in the House on March 12, 2013 and goes to the Senate next for consideration.
S. 635, Privacy Notice Modernization Act of 2013 (Sen. Brown)
This bill was assigned to a Senate committee on March 21, 2013, which will consider it before possibly sending it onto the House or Senate as a whole.
H.R. 1121, Cyber Privacy Fortification Act of 2013 (Rep. Conyers, Jr.)
This bill was referred to the House subcommittee on Crime, Terrorism, Homeland Security, And Investigations on April 15, 2013.
S. 1193, Data Security and Breach Notification Act of 2013 (Sen. Toomey)
This bill was referred to the Senate Committee on Commerce, Science, and Transportation on June 20, 2013.

Unites States State Law

​Forty-six states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have a Breach Notification Law (BNL) that requires persons and organizations to notify individuals whose personal information has been breached. In addition to these jurisdictions, New York City has its own set of breach notification laws, applicable to any business subject to the jurisdiction of the city’s Department of Consumer Affairs that has personal information of any resident of New York City.
​BNLs vary by jurisdiction although sharing several elements. In many jurisdictions, “personal information” is an individual’s first name or first initial and last name plus one or more of the following pieces of data: (i) Social Security Number; (ii) driver’s license number or state-issued ID card number; (iii) account number, credit card number or debit card number combined with any security code, access code, PIN or password needed to access the account. Some states have an expanded definition of personal information, such as in Maryland where an individual taxpayer identification number is protected personal information and in North Carolina where personal information includes mother’s maiden name, computer system password, electronic signature and unique biometric data such as fingerprint, voice print, retinal image or iris image.
​In general under most BNLS, in order for there to be a “breach” the following elements must be met, with common variations in parentheses: (i) (Reasonable likelihood of) Unauthorized and Bad Faith; (ii) Acquisition of (iii) Unencrypted or Unredacted (iv) (Computerized) Personal Information (v) (Which is likely to cause harm). The absence of one or more of the elements of the applicable BNL will excuse the notification requirement in that state. Of special note, in many jurisdictions the mere knowledge of a potential breach will often trigger a duty to investigate.
​For an easy to read chart of all BNLs prepared by the National Conference of State Legislatures, click here.

Covered Entities
​Breach notification laws tend to cast a wide net, applying to persons or entities that acquire, own, or license computerized data that includes personal information of that particular state’s residents, and in most states, regardless of whether that person or entity is registered to conduct business in that state. As such, not only are the owners or licensees of data have obligations under BNLs, but also individuals and entities who have access to personal data on the covered entities’ behalf. ​

Safe Harbor
​Almost all states’ BNLs have a safe harbor provision, which provide that notification is not required if the personal data that is lost, stolen, or accessed by an unauthorized individual is encrypted, redacted or is otherwise secured by a method or technology that renders it unreadable or unusable. Encrypted data requires that the data be in a form that is unreadable or unusable without use of a confidential process or key. Redacted data is data that has been altered or truncated so that no more than five digits of a social security number or the last four digits of a driver’s license, state identification number or account number are accessible.
​In the event of a breach or suspected breach, the party subject to the BNL will have to prove that the compromised data fits that particular state’s statutory definition or standard of encryption and/or redaction in order to invoke safe harbor protection.

Notify Procedures
​The time frame in which breached entities must notify victims varies by jurisdiction, including “in the most expedient time possible and without unreasonable delay” to “no longer than 7 business days” to “no later than 45 days.” Further, depending on the statute, the notice can be written, electronic or even conveyed over a telephone conversation.
​Most BNLs require covered entities to notify additional parties besides the victims of the breach. For instance, if the number of victims exceeds a certain number, usually 1,000 individuals, the breached entity may have to notify all consumer reporting agencies. Massachusetts, Maryland, Louisiana and a majority of other states and jurisdictions require in the event of a breach that covered entities notify some type of regulatory authority, such as the attorney general, the director of consumer affairs, or insurance commissioner.
​Nevada and other states extend the notification duty to entities that maintain data owned by other entities. In this situation, notice must be given to the owner of the data, which in turn triggers the owner’s duty to notify victims.

Form of Notice
​In many BNLs, notice requires individual written notice that includes a description of the incident in general terms, description of the type of personal information that was subject to the unauthorized access, and contact information of the covered entity for further questions. It is also common for BNLs to mandate that the notice inform the resident that he/she has a right to obtain reports from the police department and consumer reporting agencies, and provide instructions on how to request a security freeze. Often, notification by email may be permitted if the affected resident consented to receive electronic notice by the covered entity or if there is an existing business relationship with the affected resident that includes periodic electronic communications.
​In addition “substitute notice” in the form of an email to affected residents or conspicuous posting on the covered entity’s website may be allowed where the cost of providing individual written notice may be costly or the affected class of individuals is numerous. For example, Massachusetts allows for substitute notice if the cost of providing notice would exceed $250,000, the number of affected Massachusetts residents exceeds 500,000 residents, or if the covered entity does not have sufficient contact information to provide notice.

Mobile App Developer Recommendations
​In January 2013, California’s Attorney General Kamala D. Harris posted a set of privacy recommendations for App Developers, App Platform Providers and Advertising Networks operating in the mobile app sphere.
​These set of recommendations exceed California’s statutory mandates in many areas but industry players including, Amazon, Apple, Google and Facebook have already endorsed them. The voluntary recommendations encourage developers at the outset of the development to adopt the following practices and build-in the following functionalities: (1) avoid collecting personal information from users that are not necessary for an app’s basic functionality; (2) make the app’s privacy policy easily accessible before an the app is downloaded and in an easy to understand writing; (3) provide alerts to users and give them control over data practices delivered in context and just-in-time; and (4) limit the period of time for which data is collected to the time period necessary to complete the function for which the data was collected.
​As many developers’ business models depend on data collection for attracting advertisers, it seems unlikely that these recommendations will be widespread adopted.

United States – European Union Safe Harbor Program

For businesses with relationships with EU companies or have customers in the EU, it should be noted that the European Union’s adequacy standard for privacy protection is defined differently than it is in the United States. The European Commission, the executive body of the EU, mandated that companies operating in the EU are not allowed to send personal data to countries outside the “European Economic Area” (EEA) unless there is a guarantee that it will receive adequate levels of protection. In an effort to streamline the process for US companies to comply with EU Directive 95/46/EC the U.S. Department of Commerce, in consultation with the EU, created the US-EU Safe Harbor Program.

The US-EU Safe Harbor Program is a certification process that US companies can opt-in by complying with the Seven Safe Harbor Privacy Principles. Eligible companies can self-certify or hire a third-party to perform the assessment. All companies must be re-certified every 12 months.

Besides the opportunity to work with EEA companies and clients, enrollment in the US-EU Safe Harbor Program provides that claims brought by EU citizens against U.S. companies will be heard in the U.S., subject to certain limitations. Further, the streamlined process encourages participation by small and medium organizations. A list of certified Safe Harbor organizations is available to the public.

Currently, the European Commission is talking to replace Directive 95/46/EC with a regulation, which as a regulation, cannot be amended or tailored by individual member states. As Vice President of the European Commission, EU Justice Commissioner Vivane Reding explains:

​The EU already has a data protection law: a Directive which dates back to 1995. ​In the intervening 18 years, the Member States have reacted to new technologies ​differently. The result is an inconsistent patchwork of 27 different national laws. ​It entails huge legal costs for firms who simply want to do business across the EU. ​The European Commission is eliminating those costs by replacing the current ​Directive by one single clear set of rules for all businesses in the Union – ​resulting in savings for companies of around 2.3 billion EUR per year.

Canada’s Personal Information Protection and Electronic Documents Act

​A U.S.-based organization that handles personal information of Canadians is subject to the country’s Personal Information Protection and Electronic Documents Act (PIPEDA). Passed in 2000, PIPEDA is Canada’s national privacy law applying to personal information collected, used and disclosed by private sector organizations involved in commercial activities. In its current form, PIPEDA does not require organizations to notify individuals whose personal information was involved in a breach. Nor does it require organizations to notify a regulatory authority. What PIPEDA does require of organizations is that they meet certain safeguarding standards through the use of physical, technological and organizational measures.
​In February 2013, Bill C-475 was introduced in the House of Commons. In relevant part, organizations would have to “notify the Commissioner of any incident involving the loss or disclosure of, or unauthorized access to, personal information, where a reasonable person would conclude that there exists a possible risk of harm to an individual as a result of the loss or disclosure or unauthorized access.” The Commissioner may then require the organization to notify affected individuals, however at any point an organization may voluntarily notify individuals. For those interested in the progress of the bill, they can visit the Parliament’s website here.

Closing

​The widespread application of the data security breach notification laws cannot be understated. Not only are more businesses collecting personal information but technology has enabled businesses to collect more types of personal information and maintain them for longer periods of time. Somewhat surprisingly, some companies are unaware that they are collecting personal information from their users and employees. Information gathering is a necessary part of a growing business and providing better products and services. With this practice, however, all businesses must have in place appropriate privacy and security measures. Part of any periodic business evaluation should include a review of these privacy and security measures by legal counsel that is well versed in technology and has experience navigating and applying the various laws and regulations.

New M&A Survey says Earnouts Equals Lawsuit

Recently, Morrison and Foerester published a survey with respect to Mergers and Acquisitions in the upcoming climate.  As relative to most of these deals, particularly in discussions with our clients, we discuss likely exit strategies.

In today’s market, “Earnouts” are a normal part of the deal.  Sellers want a higher valuation, Buyers want less risk….and Earnouts provide some assurances to the Buyer that the acquired company/employees will perform, and the Seller gets a higher valuation.  Interestingly enough, the backend issues with Earnouts is always up for a fight.  Look below for MoFo’s recent notes related to Earnouts.

More specifically, you’ll note that they list 75% of Earnout provisions be subject to litigation after the deal closes.  Food for thought!

9. The Inside View on Earnouts – Respondents had a surprisingly favorable (or at least grudgingly practical) view of earnouts as an acquisition technique. More than 80% said their company (or their client company) included earnout clauses in M&A agreements during the past two years. Among that group, over 30% reported that they’ve used earn-out clauses in over one-half of their transactions over that period.

  • Earnout Metrics: As for which yardsticks work best for measuring earnout-related performance, nearly half of respondents pointed to achievement of revenue targets, while roughly one-fourth cited achieving profitability goals.
  • A Recipe for Conflict?: Almost three-quarters of those who’ve used earnouts said such clauses have led to subsequent disputes or litigation; nearly one-fifth of respondents estimated there had been post-deal conflict over earnouts up to half of the time. An unlucky 10% of participants said that the use of earnouts had led to disputes or lawsuits more than 75% of the time.

UK’s New Cookie Law Goes In To Effect

In response to the EU’s e-privacy directive, put in to place in 2009, the UK passed, about one year ago the Privacy and Electronic Communication Regulations (PECR) Act 2011.  The law requires websites to gain your consent if they want to use cookies, whether for tracking or analytics.  Fortunately, the type of consent is not explicit.  PECR gave websites and companies 12 months to enact compliance with the law, and that 12 months has now passed.

Among other things, PECR also revoked the Telecommunications (Data Protection and Privacy) Regulations 1999 and the Telecommunications (Data Protection and Privacy) (Amendment) Regulations 2000.

Companies should be aware that non-compliance can initiate a fine of up to £500,000.

FTC Announces Revised Thresholds for Clayton Act Antitrust Reviews

The Federal Trade Commission announced it has revised the thresholds that determine whether companies are required to notify federal antitrust authorities about a transaction under the Hart-Scott-Rodino Antitrust Improvements Act. These filing thresholds are required to be adjusted annually to keep pace with inflation, unlike the pre-merger filing fees, which have not changed in more than a decade.

Full article here.

Microsoft loses appeal in Supreme Court, i4i is one step closer to huge payout

The Supreme Court’s opinion, authored by Justice Sotomayor, held that in enacting 35 U.S.C. § 282, the U.S. Congress adopted both the allocation for the burden of proof as well as the standard of proof existing in the common law for challenges to a patent’s validity.  The Court reasoned that the requirement that patent invalidity be proved by the clear and convincing evidence was firmly grounded in the common law, as expressly stated by its decision in RCA v. Radio Engineering Labs, Inc., 293 U.S. 1 (1934).

Although on the surface it looks like i4i have won the case outright, Microsoft still has an outstanding challenge to the patent itself, and this may lead to an even larger settlement amount.  Representatives from Microsoft have said that the money for the settlement had been set aside in advance, and that the decision of the court would not have an effect on earnings projections.